The Intelligence Corner

Our experts’ unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Search results
Posts of Vitali Kremez

Banco de Chile ‘MBR Killer’ Reveals Hidden Nexus to Buhtrap Malware Kit Used to Target Financial Institutions, Payment Networks

Wiper malware that may have destroyed as many as 9,000 workstations and 500 servers inside the Banco de Chile in a late-May attack has similarities to the Buhtrap malware component known as MBR Killer, leaked to the underground in February 2016. Analysts at Flashpoint reverse-engineered the identified malware linked to the May 24 attack against […]

Read more

Trickbot and IcedID Botnet Operators Collaborate to Increase Impact

Different banking malware operations previously competed for victims, often seeking out and uninstalling one another upon compromising machines; for example, the SpyEye malware would uninstall Zeus upon infection. Now, in what may indicate a shift toward more collaboration among cybercrime groups, the operators of the IcedID and TrickBot banking Trojans appear to have partnered and […]

Read more

TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked

The source code for a longstanding point-of-sale (PoS) malware family called TreasureHunter has been leaked on a top-tier Russian-speaking forum. Compounding the issue is the coinciding leak by the same actor of the source code for the malware’s graphical user interface builder and administrator panel. The availability of both code bases lowers the barrier for […]

Read more

‘Rubella Macro Builder’ Crimeware Kit Emerges on Underground

A crimeware kit dubbed the Rubella Macro Builder has recently been gaining popularity among members of a top-tier Russian hacking forum. Despite being relatively new and unsophisticated, the kit has a clear appeal for cybercriminals: it’s cheap, fast, and can defeat basic static antivirus detection. First offered for sale in late February for the relatively […]

Read more

Compromised Magento Sites Delivering Malware

Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency. Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels, and said that interest in […]

Read more

Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017

On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player […]

Read more

Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model

Individuals who reuse login credentials across multiple sites are more susceptible to account checking attacks, which occur when threat actors use credentials stolen from past database breaches or compromises to gain unauthorized access to other accounts belonging to the same victims. However, the process of mining compromised data for correct username and password combinations requires […]

Read more

“Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs

October 24, 2017

Dark Web marketplaces selling access to compromised Remote Desktop Protocol (RDP) servers have become increasingly popular in the cybercriminal ecosystem over the past several years. UAS — which stands for “Ultimate Anonymity Services” — is one such popular cybercriminal RDP shop that has been online since February 16, 2016.  UAS offers SOCKs proxies in addition to over […]

Read more

How Ransomware has become an ‘Ethical’ Dilemma in the Eastern European Underground

September 20, 2017

It’s no secret that the Deep & Dark Web (DDW) is home to illicit marketplaces and forums, as well as an array of cybercriminal communications. Less obvious, however, are the nuances of these communications, the unspoken code of conduct that exists in cybercriminal communities, and the “ethical” dilemma that certain types of attacks can cause. […]

Read more

New Version of “Trickbot” Adds Worm Propagation Module

July 27, 2017

On July 27, 2017, in coordination with Luciano Martins, Director of Cyber Risk Services at Deloitte, Flashpoint observed a new version – “1000029” – of the formidable “Trickbot” banking Trojan with a new “worm64Dll” module, spread via the email spam vector, impersonating invoices from a large international financial institution. Image 1: The latest Trickbot tt0002 […]

Read more